The Health Insurance Portability and Accountability Act (HIPAA) has been transformative for hospitals, mandating new measures for protecting the confidentiality, integrity, and availability of patients’ protected health information. Originally introduced to help people between jobs with their health insurance policies at a time when health records were going electronic, HIPAA has evolved to become a cornerstone of patient security and privacy.

The importance of HIPAA compliance

In the years after HIPAA was first passed, two of its most important sets of regulations were enacted: the Privacy Rule and the Security Rule. Although there are some differences between the two rules, taken together they require hospitals and other healthcare organizations to implement physical, technical, and administrative safeguards to keep patient’s health information secure, including electronic protected health information (ePHI). A recent ransomware attack  at Texas Tech University Health Sciences Center, which led to the exfiltration of data for 1.46 million people, illustrates the challenge and necessity of protecting patient records.

Violations can cause serious legal and financial harm as well as reputational damage. The possible consequences of non-compliance include hefty fines and settlements and criminal penalties such as jail time. Here are some examples of HIPAA violation fines and settlements from the past year:

• $950,000 settlement, Heritage Valley Health System, for:
  • Failure to conduct a risk analysis
  • Lack of policies/procedures for responding to an emergency
  • Lack of technical policies and procedures for restricting access to systems containing ePHI
• $500,000 settlement, Plastic Surgery Associates of South Dakota, for:
  • Risk analysis failure
  • Risk management failure
  • No analysis of logs of system activity
  • No policies for dealing with a security incident

• $100,000 civil monetary penalty, Rio Hondo Community Mental Health Center, for failure to provide timely access to medical records (seven months)

Additionally, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) keeps a publicly available list of reported breaches (sometimes referred to as the “Wall of Shame”).

Physical security & HIPAA: What’s the connection?

Notably, because many healthcare professionals have been seen as emphasizing cybersecurity more than physical security, the OCR has stated that physical safeguards are “often overlooked” as a requirement of HIPAA’s Security Rule. By helping limit physical access to a patient’s protected health information, connected physical security devices can go a long way toward helping hospitals ensure their HIPAA compliance. Access control systems, cameras, and sensors control who gets to go where and when. 

However, any problems that prevent those devices from working properly can put hospitals at risk of non-compliance. Extended, undetected downtime and cybersecurity vulnerabilities can enable hackers to access patients’ personal information. It’s essential that physical security and IT teams have real-time visibility across all their connected devices for early identification of downtime and data breaches. If both teams don’t realize there’s a problem, they can’t keep their patients safe and make sure they are compliant with HIPAA.

How to keep your hospital physical security devices HIPAA-compliant

Four steps you can implement to protect patient health information include:

1. Track password strength and rotation

Make sure to change any device’s default password and use long, complex, and difficult-to-crack passwords. Consider 64-character passwords, for example, even if less are required. Enforce password rotation policies. Leaving old passwords in place means that people who shouldn’t be able to access devices, such as former employees, contractors, and vendors, can still see information they shouldn’t.

2. Patch known vulnerabilities fast

Given the high cost of data breaches in the healthcare industry, updating firmware across your connected physical security systems is essential. It’s also important to document your vulnerability management and patching processes.

3. Stay abreast of End of Service (EOS) dates

Make sure that:

• All your devices are supported by their manufacturers
• There are no gaps in coverage 
• You have the budget to replace all obsolete devices

4. Stay on top of certificate rotation

Rotating certificates helps prevent outages, and tracking these certificates highlights upcoming expirations and out-of-date issues. Implementing proactive certificate management can mitigate these risks significantly.

To see whether your hospital’s physical security device management can be doing more  to keep your organization safe, download our five-step maturity model eBook.